Windows Analysis Report
eWlldJYfLc

Overview

General Information

Sample Name: eWlldJYfLc (renamed file extension from none to dll)
Analysis ID: 595308
MD5: d098d01cbea52f858bce6d0d9faa5b26
SHA1: 952ce9cd899108c2821bf488b98387b6db8424b8
SHA256: 82c89b2a758177c7cfb7c1763b0444281c6b670deef015a886c866f18dbd8370
Tags: Dridexexe
Infos:

Detection

Dridex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected Dridex unpacked file
Multi AV Scanner detection for submitted file
Benign windows process drops PE files
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Sigma detected: Suspicious Svchost Process
Queues an APC in another process (thread injection)
Sigma detected: Suspicious Call by Ordinal
Machine Learning detection for dropped file
Accesses ntoskrnl, likely to find offsets for exploits
Contains functionality to automate explorer (e.g. start an application)
Contains functionality to prevent local Windows debugging
Uses Atom Bombing / ProGate to inject into other processes
PE file contains section with special chars
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Queries the installation date of Windows
Detected potential crypto function
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Tries to load missing DLLs
Found evasive API chain checking for process token information
Binary contains a suspicious time stamp
PE file contains more sections than normal
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: eWlldJYfLc.dll Virustotal: Detection: 67% Perma Link
Source: eWlldJYfLc.dll Metadefender: Detection: 60% Perma Link
Source: eWlldJYfLc.dll ReversingLabs: Detection: 88%
Antivirus / Scanner detection for submitted sample
Source: eWlldJYfLc.dll Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL Avira: detection malicious, Label: TR/Crypt.XPACK.Gen7
Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll Avira: detection malicious, Label: TR/Crypt.XPACK.Gen4
Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dll Avira: detection malicious, Label: TR/Crypt.ZPACK.Gen
Machine Learning detection for sample
Source: eWlldJYfLc.dll Joe Sandbox ML: detected
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\n0R5g\Secur32.dll Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF61310EFCC memset,CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,SetFilePointer,GetLastError,memset,WinVerifyTrustEx,WTHelperProvDataFromStateData,WTHelperGetProvSignerFromChain,CertVerifyCertificateChainPolicy,WinVerifyTrustEx,CloseHandle, 26_2_00007FF61310EFCC
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF61310F224 CreateFileW,CryptCATAdminCalcHashFromFileHandle,CryptCATAdminCalcHashFromFileHandle,GetLastError,CloseHandle,GetLastError,CryptCATAdminAcquireContext,CryptCATAdminEnumCatalogFromHash,memset,CryptCATCatalogInfoFromContext,CryptCATAdminReleaseCatalogContext,CryptCATAdminReleaseContext,GetLastError,GetLastError, 26_2_00007FF61310F224
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B877F52C CryptProtectData,LocalAlloc,LocalFree, 33_2_00007FF7B877F52C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B877F8FC CryptBinaryToStringW,LocalAlloc,CryptBinaryToStringW,LocalFree, 33_2_00007FF7B877F8FC

Exploits
barindex
Accesses ntoskrnl, likely to find offsets for exploits
Source: C:\Windows\explorer.exe File opened: C:\Windows\system32\ntkrnlmp.exe Jump to behavior
Source: eWlldJYfLc.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.4.dr
Source: Binary string: MFPMP.pdb source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
Source: Binary string: CloudNotifications.pdb source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
Source: Binary string: deviceenroller.pdb source: DeviceEnroller.exe.4.dr
Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
Source: Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.4.dr
Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.4.dr
Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.4.dr
Source: Binary string: mstsc.pdb source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe.4.dr
Source: Binary string: DDODiag.pdb source: ddodiag.exe.4.dr
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
Source: Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
Source: Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
Source: Binary string: deviceenroller.pdbGCTL source: DeviceEnroller.exe.4.dr
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711ED10 FindFirstFileExW, 0_2_00007FFC6711ED10
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C7ED10 FindFirstFileExW, 20_2_00007FFC74C7ED10
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130E1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError, 26_2_00007FF6130E1914
Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.mi
Source: explorer.exe, 00000004.00000000.324436158.000000000DA7E000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://schemas.micr
Source: svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000003.320495277.000001BB8E669000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321905396.000001BB8E66B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Stops/
Source: svchost.exe, 0000000B.00000002.321820678.000001BB8E643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321051969.000001BB8E642000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?entry=
Source: svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000002.321834175.000001BB8E64C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320766530.000001BB8E64A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 0000000B.00000003.320641560.000001BB8E651000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/roadshield.ashx?bucket=
Source: DeviceEnroller.exe.4.dr String found in binary or memory: https://login.windows.net-%s
Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 0000000B.00000002.321807705.000001BB8E63E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000002.321751772.000001BB8E613000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 0000000B.00000003.320980194.000001BB8E646000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.320872446.000001BB8E641000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 0000000B.00000003.298657798.000001BB8E630000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000B.00000003.321244735.000001BB8E63A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 0000000B.00000002.321768696.000001BB8E629000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen

E-Banking Fraud
barindex
Yara detected Dridex unpacked file
Source: Yara match File source: 33.2.mstsc.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.SndVol.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.CloudNotifications.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.Dxpserver.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.mfpmp.exe.7ffc74c20000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.loaddll64.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.rundll32.exe.7ffc670c0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000008.00000002.274772551.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.280898080.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.574221343.00007FFC74C21000.00000020.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.430869317.00007FFC74C21000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.382839680.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.500951495.00007FFC74C21000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.465961019.00007FFC74C21000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.260901088.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.267568902.00007FFC670C1000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.543380049.00007FFC74C21000.00000020.00000001.01000000.00000011.sdmp, type: MEMORY

System Summary
barindex
PE file contains section with special chars
Source: SppExtComObj.Exe.4.dr Static PE information: section name: ?g_Encry
Detected potential crypto function
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC671097D0 0_2_00007FFC671097D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F5020 0_2_00007FFC670F5020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711DDC0 0_2_00007FFC6711DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67127650 0_2_00007FFC67127650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712D520 0_2_00007FFC6712D520
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6710A2C0 0_2_00007FFC6710A2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F59F0 0_2_00007FFC670F59F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670FAA70 0_2_00007FFC670FAA70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6710CA50 0_2_00007FFC6710CA50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E7880 0_2_00007FFC670E7880
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67113150 0_2_00007FFC67113150
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713B7A0 0_2_00007FFC6713B7A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C6790 0_2_00007FFC670C6790
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712C780 0_2_00007FFC6712C780
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713EF80 0_2_00007FFC6713EF80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EE7B0 0_2_00007FFC670EE7B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670DA7D0 0_2_00007FFC670DA7D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67134FF0 0_2_00007FFC67134FF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D8FC0 0_2_00007FFC670D8FC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E6FE0 0_2_00007FFC670E6FE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67140820 0_2_00007FFC67140820
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C1010 0_2_00007FFC670C1010
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E4800 0_2_00007FFC670E4800
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EC030 0_2_00007FFC670EC030
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F0020 0_2_00007FFC670F0020
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E5050 0_2_00007FFC670E5050
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6710F870 0_2_00007FFC6710F870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67115840 0_2_00007FFC67115840
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670FF870 0_2_00007FFC670FF870
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C6E90 0_2_00007FFC670C6E90
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712A6B0 0_2_00007FFC6712A6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C7E80 0_2_00007FFC670C7E80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EF6B0 0_2_00007FFC670EF6B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F06A0 0_2_00007FFC670F06A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67127EC0 0_2_00007FFC67127EC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67120F30 0_2_00007FFC67120F30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E872B 0_2_00007FFC670E872B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67125760 0_2_00007FFC67125760
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E2F50 0_2_00007FFC670E2F50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713BF6F 0_2_00007FFC6713BF6F
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67120770 0_2_00007FFC67120770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670DE770 0_2_00007FFC670DE770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713C590 0_2_00007FFC6713C590
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670CC5A0 0_2_00007FFC670CC5A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D95C0 0_2_00007FFC670D95C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F25C0 0_2_00007FFC670F25C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D65E0 0_2_00007FFC670D65E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E3610 0_2_00007FFC670E3610
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F2E10 0_2_00007FFC670F2E10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670CDE20 0_2_00007FFC670CDE20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C1620 0_2_00007FFC670C1620
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D8670 0_2_00007FFC670D8670
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67110650 0_2_00007FFC67110650
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E49D 0_2_00007FFC6712E49D
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67122CA0 0_2_00007FFC67122CA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E4A6 0_2_00007FFC6712E4A6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E4AD 0_2_00007FFC6712E4AD
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E4B6 0_2_00007FFC6712E4B6
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EAC80 0_2_00007FFC670EAC80
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E48B 0_2_00007FFC6712E48B
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712A490 0_2_00007FFC6712A490
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E494 0_2_00007FFC6712E494
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D3CD0 0_2_00007FFC670D3CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F5CD0 0_2_00007FFC670F5CD0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F3CF0 0_2_00007FFC670F3CF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67118D20 0_2_00007FFC67118D20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F0D10 0_2_00007FFC670F0D10
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F1D30 0_2_00007FFC670F1D30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E3D50 0_2_00007FFC670E3D50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670ED550 0_2_00007FFC670ED550
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D9D70 0_2_00007FFC670D9D70
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67124390 0_2_00007FFC67124390
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67114BC0 0_2_00007FFC67114BC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D23F0 0_2_00007FFC670D23F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D7410 0_2_00007FFC670D7410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712E400 0_2_00007FFC6712E400
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713FC00 0_2_00007FFC6713FC00
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67129410 0_2_00007FFC67129410
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D5420 0_2_00007FFC670D5420
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C5C20 0_2_00007FFC670C5C20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC671282A0 0_2_00007FFC671282A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712AAA0 0_2_00007FFC6712AAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EDAA0 0_2_00007FFC670EDAA0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67122AE0 0_2_00007FFC67122AE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67127AF0 0_2_00007FFC67127AF0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E92C0 0_2_00007FFC670E92C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC671122C0 0_2_00007FFC671122C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711F2C0 0_2_00007FFC6711F2C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E82E0 0_2_00007FFC670E82E0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670FBAE0 0_2_00007FFC670FBAE0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EA310 0_2_00007FFC670EA310
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F0300 0_2_00007FFC670F0300
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F1B30 0_2_00007FFC670F1B30
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670CBB20 0_2_00007FFC670CBB20
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C5350 0_2_00007FFC670C5350
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E3340 0_2_00007FFC670E3340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D8340 0_2_00007FFC670D8340
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67125B50 0_2_00007FFC67125B50
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F4360 0_2_00007FFC670F4360
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F9990 0_2_00007FFC670F9990
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C2980 0_2_00007FFC670C2980
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670DE9B0 0_2_00007FFC670DE9B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E11B0 0_2_00007FFC670E11B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EE9A0 0_2_00007FFC670EE9A0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F21D0 0_2_00007FFC670F21D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E69C0 0_2_00007FFC670E69C0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670EF1F0 0_2_00007FFC670EF1F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F91F0 0_2_00007FFC670F91F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F89F0 0_2_00007FFC670F89F0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712B260 0_2_00007FFC6712B260
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670FB250 0_2_00007FFC670FB250
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C7A40 0_2_00007FFC670C7A40
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670DD890 0_2_00007FFC670DD890
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713C8B1 0_2_00007FFC6713C8B1
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670D08B0 0_2_00007FFC670D08B0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713C0EB 0_2_00007FFC6713C0EB
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670C18D0 0_2_00007FFC670C18D0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670DE110 0_2_00007FFC670DE110
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E3910 0_2_00007FFC670E3910
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670CB100 0_2_00007FFC670CB100
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670F6130 0_2_00007FFC670F6130
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712B960 0_2_00007FFC6712B960
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC670E4140 0_2_00007FFC670E4140
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67126950 0_2_00007FFC67126950
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FF740782908 20_2_00007FF740782908
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8D520 20_2_00007FFC74C8D520
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C55CD0 20_2_00007FFC74C55CD0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C87650 20_2_00007FFC74C87650
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C7DDC0 20_2_00007FFC74C7DDC0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C55020 20_2_00007FFC74C55020
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C697D0 20_2_00007FFC74C697D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C73150 20_2_00007FFC74C73150
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C47880 20_2_00007FFC74C47880
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C6CA50 20_2_00007FFC74C6CA50
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C5AA70 20_2_00007FFC74C5AA70
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C559F0 20_2_00007FFC74C559F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C6A2C0 20_2_00007FFC74C6A2C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C5BAE0 20_2_00007FFC74C5BAE0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4D550 20_2_00007FFC74C4D550
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C43D50 20_2_00007FFC74C43D50
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C39D70 20_2_00007FFC74C39D70
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C50D10 20_2_00007FFC74C50D10
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C51D30 20_2_00007FFC74C51D30
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C78D20 20_2_00007FFC74C78D20
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C33CD0 20_2_00007FFC74C33CD0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C53CF0 20_2_00007FFC74C53CF0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8E494 20_2_00007FFC74C8E494
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8A490 20_2_00007FFC74C8A490
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4AC80 20_2_00007FFC74C4AC80
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8E48B 20_2_00007FFC74C8E48B
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8E4B6 20_2_00007FFC74C8E4B6
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8E4AD 20_2_00007FFC74C8E4AD
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8E4A6 20_2_00007FFC74C8E4A6
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C82CA0 20_2_00007FFC74C82CA0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8E49D 20_2_00007FFC74C8E49D
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C70650 20_2_00007FFC74C70650
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C38670 20_2_00007FFC74C38670
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C52E10 20_2_00007FFC74C52E10
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C43610 20_2_00007FFC74C43610
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C21620 20_2_00007FFC74C21620
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C2DE20 20_2_00007FFC74C2DE20
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C525C0 20_2_00007FFC74C525C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C395C0 20_2_00007FFC74C395C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C365E0 20_2_00007FFC74C365E0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C9C590 20_2_00007FFC74C9C590
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C2C5A0 20_2_00007FFC74C2C5A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C42F50 20_2_00007FFC74C42F50
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C80770 20_2_00007FFC74C80770
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C3E770 20_2_00007FFC74C3E770
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C9BF6F 20_2_00007FFC74C9BF6F
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C85760 20_2_00007FFC74C85760
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C80F30 20_2_00007FFC74C80F30
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4872B 20_2_00007FFC74C4872B
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C87EC0 20_2_00007FFC74C87EC0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C26E90 20_2_00007FFC74C26E90
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C27E80 20_2_00007FFC74C27E80
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4F6B0 20_2_00007FFC74C4F6B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8A6B0 20_2_00007FFC74C8A6B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C506A0 20_2_00007FFC74C506A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C45050 20_2_00007FFC74C45050
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C75840 20_2_00007FFC74C75840
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C5F870 20_2_00007FFC74C5F870
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C6F870 20_2_00007FFC74C6F870
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C21010 20_2_00007FFC74C21010
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C44800 20_2_00007FFC74C44800
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4C030 20_2_00007FFC74C4C030
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C50020 20_2_00007FFC74C50020
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74CA0820 20_2_00007FFC74CA0820
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C3A7D0 20_2_00007FFC74C3A7D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C38FC0 20_2_00007FFC74C38FC0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C94FF0 20_2_00007FFC74C94FF0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C46FE0 20_2_00007FFC74C46FE0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C26790 20_2_00007FFC74C26790
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8C780 20_2_00007FFC74C8C780
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C9EF80 20_2_00007FFC74C9EF80
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4E7B0 20_2_00007FFC74C4E7B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C9B7A0 20_2_00007FFC74C9B7A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C86950 20_2_00007FFC74C86950
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C44140 20_2_00007FFC74C44140
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8B960 20_2_00007FFC74C8B960
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C3E110 20_2_00007FFC74C3E110
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C43910 20_2_00007FFC74C43910
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C2B100 20_2_00007FFC74C2B100
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C56130 20_2_00007FFC74C56130
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C218D0 20_2_00007FFC74C218D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C9C0EB 20_2_00007FFC74C9C0EB
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C3D890 20_2_00007FFC74C3D890
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C308B0 20_2_00007FFC74C308B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C9C8B1 20_2_00007FFC74C9C8B1
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C5B250 20_2_00007FFC74C5B250
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C27A40 20_2_00007FFC74C27A40
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8B260 20_2_00007FFC74C8B260
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C521D0 20_2_00007FFC74C521D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C469C0 20_2_00007FFC74C469C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4F1F0 20_2_00007FFC74C4F1F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C591F0 20_2_00007FFC74C591F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C589F0 20_2_00007FFC74C589F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C59990 20_2_00007FFC74C59990
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C22980 20_2_00007FFC74C22980
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C3E9B0 20_2_00007FFC74C3E9B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C411B0 20_2_00007FFC74C411B0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4E9A0 20_2_00007FFC74C4E9A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C85B50 20_2_00007FFC74C85B50
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C25350 20_2_00007FFC74C25350
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C43340 20_2_00007FFC74C43340
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C38340 20_2_00007FFC74C38340
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C54360 20_2_00007FFC74C54360
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4A310 20_2_00007FFC74C4A310
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C50300 20_2_00007FFC74C50300
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C51B30 20_2_00007FFC74C51B30
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C2BB20 20_2_00007FFC74C2BB20
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C492C0 20_2_00007FFC74C492C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C722C0 20_2_00007FFC74C722C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C7F2C0 20_2_00007FFC74C7F2C0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C87AF0 20_2_00007FFC74C87AF0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C482E0 20_2_00007FFC74C482E0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C82AE0 20_2_00007FFC74C82AE0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C4DAA0 20_2_00007FFC74C4DAA0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C882A0 20_2_00007FFC74C882A0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8AAA0 20_2_00007FFC74C8AAA0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C37410 20_2_00007FFC74C37410
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C89410 20_2_00007FFC74C89410
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8E400 20_2_00007FFC74C8E400
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C9FC00 20_2_00007FFC74C9FC00
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C25C20 20_2_00007FFC74C25C20
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C35420 20_2_00007FFC74C35420
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C74BC0 20_2_00007FFC74C74BC0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C323F0 20_2_00007FFC74C323F0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C84390 20_2_00007FFC74C84390
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF61310BC70 26_2_00007FF61310BC70
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130F3C38 26_2_00007FF6130F3C38
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130FA064 26_2_00007FF6130FA064
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130FF460 26_2_00007FF6130FF460
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130EAC8C 26_2_00007FF6130EAC8C
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130F8CC0 26_2_00007FF6130F8CC0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130E5CB8 26_2_00007FF6130E5CB8
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130E1914 26_2_00007FF6130E1914
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF613102900 26_2_00007FF613102900
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF613106740 26_2_00007FF613106740
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF613100790 26_2_00007FF613100790
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF613108BE0 26_2_00007FF613108BE0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF61310EFCC 26_2_00007FF61310EFCC
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130E7404 26_2_00007FF6130E7404
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF613101000 26_2_00007FF613101000
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF613104A44 26_2_00007FF613104A44
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130E4A44 26_2_00007FF6130E4A44
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF613103E80 26_2_00007FF613103E80
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130EB2C0 26_2_00007FF6130EB2C0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF61310D6F0 26_2_00007FF61310D6F0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130F1B14 26_2_00007FF6130F1B14
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130E5330 26_2_00007FF6130E5330
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130F3554 26_2_00007FF6130F3554
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130E2950 26_2_00007FF6130E2950
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130F7170 26_2_00007FF6130F7170
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF613105DC0 26_2_00007FF613105DC0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF61310C5F0 26_2_00007FF61310C5F0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF61310F224 26_2_00007FF61310F224
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130FCE20 26_2_00007FF6130FCE20
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130E661C 26_2_00007FF6130E661C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B87139A0 33_2_00007FF7B87139A0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B87135EC 33_2_00007FF7B87135EC
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8718DF0 33_2_00007FF7B8718DF0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B871CE08 33_2_00007FF7B871CE08
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B871EAB4 33_2_00007FF7B871EAB4
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B87212E0 33_2_00007FF7B87212E0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8704EC4 33_2_00007FF7B8704EC4
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8791690 33_2_00007FF7B8791690
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B870DA8C 33_2_00007FF7B870DA8C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8706B94 33_2_00007FF7B8706B94
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B87177C0 33_2_00007FF7B87177C0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8705410 33_2_00007FF7B8705410
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8744320 33_2_00007FF7B8744320
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B87184C0 33_2_00007FF7B87184C0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B87164DC 33_2_00007FF7B87164DC
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B871A858 33_2_00007FF7B871A858
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8718060 33_2_00007FF7B8718060
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CE2BD8 35_2_00007FF742CE2BD8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CE03A0 35_2_00007FF742CE03A0
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CE3718 35_2_00007FF742CE3718
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CD44E8 35_2_00007FF742CD44E8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CD3514 35_2_00007FF742CD3514
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CE0CA8 35_2_00007FF742CE0CA8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CEC4D0 35_2_00007FF742CEC4D0
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CEB088 35_2_00007FF742CEB088
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CD3080 35_2_00007FF742CD3080
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CDA1A0 35_2_00007FF742CDA1A0
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CDA5C8 35_2_00007FF742CDA5C8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CD8310 35_2_00007FF742CD8310
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CE4F10 35_2_00007FF742CE4F10
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CD6218 35_2_00007FF742CD6218
Contains functionality to call native functions
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67107770 NtClose, 0_2_00007FFC67107770
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6712D520 NtQuerySystemInformation, 0_2_00007FFC6712D520
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FF740787394 new,NtQueryWnfStateData,RtlSubscribeWnfStateChangeNotification,GetLastError,RtlUnsubscribeWnfNotificationWaitForCompletion,SetLastError, 20_2_00007FF740787394
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C8D520 NtQuerySystemInformation, 20_2_00007FFC74C8D520
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C55CD0 RtlAddVectoredContinueHandler,VirtualProtect,VirtualProtect,RtlCreateUserThread,NtClose, 20_2_00007FFC74C55CD0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C5C4D0 CreateFileMappingW,VirtualAlloc,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 20_2_00007FFC74C5C4D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C45F40 NtCreateSection,NtMapViewOfSection,NtUnmapViewOfSection,NtDuplicateObject,NtDuplicateObject, 20_2_00007FFC74C45F40
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C67770 NtClose, 20_2_00007FFC74C67770
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C5AA70 VirtualAlloc,NtDuplicateObject,RtlQueueApcWow64Thread, 20_2_00007FFC74C5AA70
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C5BAE0 NtReadVirtualMemory, 20_2_00007FFC74C5BAE0
Sample file is different than original file name gathered from version info
Source: eWlldJYfLc.dll Binary or memory string: OriginalFilenamedpnhupnp.dJ vs eWlldJYfLc.dll
PE file contains strange resources
Source: Dxpserver.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dxpserver.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: mstsc.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SndVol.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Tries to load missing DLLs
Source: C:\Windows\System32\loaddll64.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: capabilityaccessmanagerclient.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe Section loaded: kernel34.dll Jump to behavior
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Section loaded: kernel34.dll
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Section loaded: kernel34.dll
PE file contains more sections than normal
Source: dwmapi.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: ACTIVEDS.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: MFPlat.DLL.4.dr Static PE information: Number of sections : 61 > 10
Source: Secur32.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: DUI70.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: UxTheme.dll0.4.dr Static PE information: Number of sections : 61 > 10
Source: XmlLite.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: XmlLite.dll0.4.dr Static PE information: Number of sections : 61 > 10
Source: eWlldJYfLc.dll Static PE information: Number of sections : 60 > 10
Source: UxTheme.dll.4.dr Static PE information: Number of sections : 61 > 10
Source: eWlldJYfLc.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: dwmapi.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: MFPlat.DLL.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: Secur32.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: DUI70.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ACTIVEDS.dll.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: SppExtComObj.Exe.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: XmlLite.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: UxTheme.dll0.4.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: eWlldJYfLc.dll Virustotal: Detection: 67%
Source: eWlldJYfLc.dll Metadefender: Detection: 60%
Source: eWlldJYfLc.dll ReversingLabs: Detection: 88%
Source: eWlldJYfLc.dll Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll64.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\System32\loaddll64.exe loaddll64.exe "C:\Users\user\Desktop\eWlldJYfLc.dll"
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sdclt.exe C:\Windows\system32\sdclt.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\CloudNotifications.exe C:\Windows\system32\CloudNotifications.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\systemreset.exe C:\Windows\system32\systemreset.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mfpmp.exe C:\Windows\system32\mfpmp.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe C:\Users\user\AppData\Local\bj1HT\mfpmp.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msra.exe C:\Windows\system32\msra.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\n0R5g\mstsc.exe C:\Users\user\AppData\Local\n0R5g\mstsc.exe
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryActiveSession Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,QueryUserToken Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\sdclt.exe C:\Windows\system32\sdclt.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\CloudNotifications.exe C:\Windows\system32\CloudNotifications.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\systemreset.exe C:\Windows\system32\systemreset.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\Dxpserver.exe C:\Windows\system32\Dxpserver.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe C:\Users\user\AppData\Local\bj1HT\mfpmp.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\msra.exe C:\Windows\system32\msra.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\mstsc.exe C:\Windows\system32\mstsc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\n0R5g\mstsc.exe C:\Users\user\AppData\Local\n0R5g\mstsc.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Windows\System32\SndVol.exe C:\Windows\system32\SndVol.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto Jump to behavior
Source: Dxpserver.exe.4.dr Binary string: FNULL%s\*.*...Device%s\%s%s%s\%s%s\Device\%s%s\Device
Source: classification engine Classification label: mal100.troj.expl.evad.winDLL@46/19@0/0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FF740783570 CoCreateInstance, 20_2_00007FF740783570
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C5CB00 GetProcessId,CreateToolhelp32Snapshot,Thread32First, 20_2_00007FFC74C5CB00
Source: C:\Windows\System32\loaddll64.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe C:\Users\user\Desktop\eWlldJYfLc.dll,IsInteractiveUserSession
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Mutant created: \Sessions\1\BaseNamedObjects\{02c91c43-0eca-a572-1a91-4df7a7da9f72}
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Mutant created: \Sessions\1\BaseNamedObjects\{25ac7a03-cb33-2ddf-542d-93d552beab0b}
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FF740784798 FindResourceExW,LoadResource,LockResource, 20_2_00007FF740784798
Source: eWlldJYfLc.dll Static PE information: Image base 0x140000000 > 0x60000000
Source: eWlldJYfLc.dll Static file information: File size 1368064 > 1048576
Source: eWlldJYfLc.dll Static PE information: TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
Source: Binary string: SndVol.pdbGCTL source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
Source: Binary string: SppExtComObj.pdb source: SppExtComObj.Exe.4.dr
Source: Binary string: MFPMP.pdb source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
Source: Binary string: CloudNotifications.pdb source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
Source: Binary string: deviceenroller.pdb source: DeviceEnroller.exe.4.dr
Source: Binary string: MFPMP.pdbUGP source: mfpmp.exe, 0000001D.00000000.471765821.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe, 0000001D.00000002.500806173.00007FF670A47000.00000002.00000001.01000000.0000000D.sdmp, mfpmp.exe.4.dr
Source: Binary string: DXPServer.pdbGCTL source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
Source: Binary string: mstsc.pdbGCTL source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
Source: Binary string: CameraSettingsUIHost.pdbGCTL source: CameraSettingsUIHost.exe.4.dr
Source: Binary string: CameraSettingsUIHost.pdb source: CameraSettingsUIHost.exe.4.dr
Source: Binary string: SppExtComObj.pdbUGP source: SppExtComObj.Exe.4.dr
Source: Binary string: mstsc.pdb source: mstsc.exe, 00000021.00000000.509159807.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe, 00000021.00000002.535164127.00007FF7B8824000.00000002.00000001.01000000.00000010.sdmp, mstsc.exe.4.dr
Source: Binary string: DDODiag.pdbGCTL source: ddodiag.exe.4.dr
Source: Binary string: DDODiag.pdb source: ddodiag.exe.4.dr
Source: Binary string: SndVol.pdb source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr
Source: Binary string: CloudNotifications.pdbGCTL source: CloudNotifications.exe, 00000014.00000000.405037506.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe, 00000014.00000002.430793146.00007FF74078B000.00000002.00000001.01000000.00000009.sdmp, CloudNotifications.exe.4.dr
Source: Binary string: DXPServer.pdb source: Dxpserver.exe, 0000001A.00000000.442933050.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe, 0000001A.00000002.465912323.00007FF613111000.00000002.00000001.01000000.0000000B.sdmp, Dxpserver.exe.4.dr
Source: Binary string: deviceenroller.pdbGCTL source: DeviceEnroller.exe.4.dr
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6713D500 push rax; iretd 0_2_00007FFC6713D501
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C9D500 push rax; iretd 20_2_00007FFC74C9D501
PE file contains sections with non-standard names
Source: eWlldJYfLc.dll Static PE information: section name: .vxl
Source: eWlldJYfLc.dll Static PE information: section name: .qwubgr
Source: eWlldJYfLc.dll Static PE information: section name: .eer
Source: eWlldJYfLc.dll Static PE information: section name: .xwwauf
Source: eWlldJYfLc.dll Static PE information: section name: .pkc
Source: eWlldJYfLc.dll Static PE information: section name: .npkda
Source: eWlldJYfLc.dll Static PE information: section name: .vhs
Source: eWlldJYfLc.dll Static PE information: section name: .iaywj
Source: eWlldJYfLc.dll Static PE information: section name: .nasi
Source: eWlldJYfLc.dll Static PE information: section name: .zhvprh
Source: eWlldJYfLc.dll Static PE information: section name: .yatdsp
Source: eWlldJYfLc.dll Static PE information: section name: .njso
Source: eWlldJYfLc.dll Static PE information: section name: .lgliat
Source: eWlldJYfLc.dll Static PE information: section name: .ntqjh
Source: eWlldJYfLc.dll Static PE information: section name: .sucsek
Source: eWlldJYfLc.dll Static PE information: section name: .qsxjui
Source: eWlldJYfLc.dll Static PE information: section name: .twctcm
Source: eWlldJYfLc.dll Static PE information: section name: .nms
Source: eWlldJYfLc.dll Static PE information: section name: .ogj
Source: eWlldJYfLc.dll Static PE information: section name: .vrkgb
Source: eWlldJYfLc.dll Static PE information: section name: .gikfw
Source: eWlldJYfLc.dll Static PE information: section name: .ktl
Source: eWlldJYfLc.dll Static PE information: section name: .crcn
Source: eWlldJYfLc.dll Static PE information: section name: .wtfr
Source: eWlldJYfLc.dll Static PE information: section name: .hep
Source: eWlldJYfLc.dll Static PE information: section name: .ywg
Source: eWlldJYfLc.dll Static PE information: section name: .sqsp
Source: eWlldJYfLc.dll Static PE information: section name: .gzb
Source: eWlldJYfLc.dll Static PE information: section name: .fatlss
Source: eWlldJYfLc.dll Static PE information: section name: .plqa
Source: eWlldJYfLc.dll Static PE information: section name: .vzt
Source: eWlldJYfLc.dll Static PE information: section name: .dsbyd
Source: eWlldJYfLc.dll Static PE information: section name: .cdelc
Source: eWlldJYfLc.dll Static PE information: section name: .qkhkj
Source: eWlldJYfLc.dll Static PE information: section name: .mnzegr
Source: eWlldJYfLc.dll Static PE information: section name: .krw
Source: eWlldJYfLc.dll Static PE information: section name: .jvsmn
Source: eWlldJYfLc.dll Static PE information: section name: .bygpq
Source: eWlldJYfLc.dll Static PE information: section name: .kzdbu
Source: eWlldJYfLc.dll Static PE information: section name: .mwxorn
Source: eWlldJYfLc.dll Static PE information: section name: .raf
Source: eWlldJYfLc.dll Static PE information: section name: .zcyw
Source: eWlldJYfLc.dll Static PE information: section name: .zeczh
Source: eWlldJYfLc.dll Static PE information: section name: .pvv
Source: eWlldJYfLc.dll Static PE information: section name: .lug
Source: eWlldJYfLc.dll Static PE information: section name: .ski
Source: eWlldJYfLc.dll Static PE information: section name: .japjd
Source: eWlldJYfLc.dll Static PE information: section name: .mwtzml
Source: eWlldJYfLc.dll Static PE information: section name: .vgssf
Source: eWlldJYfLc.dll Static PE information: section name: .gsroye
Source: eWlldJYfLc.dll Static PE information: section name: .vcmr
Source: eWlldJYfLc.dll Static PE information: section name: .ufki
Source: eWlldJYfLc.dll Static PE information: section name: .btl
Source: eWlldJYfLc.dll Static PE information: section name: .pmeh
Source: mfpmp.exe.4.dr Static PE information: section name: .didat
Source: mstsc.exe.4.dr Static PE information: section name: .didat
Source: SndVol.exe.4.dr Static PE information: section name: .imrsiv
Source: SndVol.exe.4.dr Static PE information: section name: .didat
Source: DeviceEnroller.exe.4.dr Static PE information: section name: .didat
Source: CameraSettingsUIHost.exe.4.dr Static PE information: section name: .imrsiv
Source: CloudNotifications.exe.4.dr Static PE information: section name: .imrsiv
Source: CloudNotifications.exe.4.dr Static PE information: section name: .didat
Source: dwmapi.dll.4.dr Static PE information: section name: .vxl
Source: dwmapi.dll.4.dr Static PE information: section name: .qwubgr
Source: dwmapi.dll.4.dr Static PE information: section name: .eer
Source: dwmapi.dll.4.dr Static PE information: section name: .xwwauf
Source: dwmapi.dll.4.dr Static PE information: section name: .pkc
Source: dwmapi.dll.4.dr Static PE information: section name: .npkda
Source: dwmapi.dll.4.dr Static PE information: section name: .vhs
Source: dwmapi.dll.4.dr Static PE information: section name: .iaywj
Source: dwmapi.dll.4.dr Static PE information: section name: .nasi
Source: dwmapi.dll.4.dr Static PE information: section name: .zhvprh
Source: dwmapi.dll.4.dr Static PE information: section name: .yatdsp
Source: dwmapi.dll.4.dr Static PE information: section name: .njso
Source: dwmapi.dll.4.dr Static PE information: section name: .lgliat
Source: dwmapi.dll.4.dr Static PE information: section name: .ntqjh
Source: dwmapi.dll.4.dr Static PE information: section name: .sucsek
Source: dwmapi.dll.4.dr Static PE information: section name: .qsxjui
Source: dwmapi.dll.4.dr Static PE information: section name: .twctcm
Source: dwmapi.dll.4.dr Static PE information: section name: .nms
Source: dwmapi.dll.4.dr Static PE information: section name: .ogj
Source: dwmapi.dll.4.dr Static PE information: section name: .vrkgb
Source: dwmapi.dll.4.dr Static PE information: section name: .gikfw
Source: dwmapi.dll.4.dr Static PE information: section name: .ktl
Source: dwmapi.dll.4.dr Static PE information: section name: .crcn
Source: dwmapi.dll.4.dr Static PE information: section name: .wtfr
Source: dwmapi.dll.4.dr Static PE information: section name: .hep
Source: dwmapi.dll.4.dr Static PE information: section name: .ywg
Source: dwmapi.dll.4.dr Static PE information: section name: .sqsp
Source: dwmapi.dll.4.dr Static PE information: section name: .gzb
Source: dwmapi.dll.4.dr Static PE information: section name: .fatlss
Source: dwmapi.dll.4.dr Static PE information: section name: .plqa
Source: dwmapi.dll.4.dr Static PE information: section name: .vzt
Source: dwmapi.dll.4.dr Static PE information: section name: .dsbyd
Source: dwmapi.dll.4.dr Static PE information: section name: .cdelc
Source: dwmapi.dll.4.dr Static PE information: section name: .qkhkj
Source: dwmapi.dll.4.dr Static PE information: section name: .mnzegr
Source: dwmapi.dll.4.dr Static PE information: section name: .krw
Source: dwmapi.dll.4.dr Static PE information: section name: .jvsmn
Source: dwmapi.dll.4.dr Static PE information: section name: .bygpq
Source: dwmapi.dll.4.dr Static PE information: section name: .kzdbu
Source: dwmapi.dll.4.dr Static PE information: section name: .mwxorn
Source: dwmapi.dll.4.dr Static PE information: section name: .raf
Source: dwmapi.dll.4.dr Static PE information: section name: .zcyw
Source: dwmapi.dll.4.dr Static PE information: section name: .zeczh
Source: dwmapi.dll.4.dr Static PE information: section name: .pvv
Source: dwmapi.dll.4.dr Static PE information: section name: .lug
Source: dwmapi.dll.4.dr Static PE information: section name: .ski
Source: dwmapi.dll.4.dr Static PE information: section name: .japjd
Source: dwmapi.dll.4.dr Static PE information: section name: .mwtzml
Source: dwmapi.dll.4.dr Static PE information: section name: .vgssf
Source: dwmapi.dll.4.dr Static PE information: section name: .gsroye
Source: dwmapi.dll.4.dr Static PE information: section name: .vcmr
Source: dwmapi.dll.4.dr Static PE information: section name: .ufki
Source: dwmapi.dll.4.dr Static PE information: section name: .btl
Source: dwmapi.dll.4.dr Static PE information: section name: .pmeh
Source: dwmapi.dll.4.dr Static PE information: section name: .bfwtl
Source: MFPlat.DLL.4.dr Static PE information: section name: .vxl
Source: MFPlat.DLL.4.dr Static PE information: section name: .qwubgr
Source: MFPlat.DLL.4.dr Static PE information: section name: .eer
Source: MFPlat.DLL.4.dr Static PE information: section name: .xwwauf
Source: MFPlat.DLL.4.dr Static PE information: section name: .pkc
Source: MFPlat.DLL.4.dr Static PE information: section name: .npkda
Source: MFPlat.DLL.4.dr Static PE information: section name: .vhs
Source: MFPlat.DLL.4.dr Static PE information: section name: .iaywj
Source: MFPlat.DLL.4.dr Static PE information: section name: .nasi
Source: MFPlat.DLL.4.dr Static PE information: section name: .zhvprh
Source: MFPlat.DLL.4.dr Static PE information: section name: .yatdsp
Source: MFPlat.DLL.4.dr Static PE information: section name: .njso
Source: MFPlat.DLL.4.dr Static PE information: section name: .lgliat
Source: MFPlat.DLL.4.dr Static PE information: section name: .ntqjh
Source: MFPlat.DLL.4.dr Static PE information: section name: .sucsek
Source: MFPlat.DLL.4.dr Static PE information: section name: .qsxjui
Source: MFPlat.DLL.4.dr Static PE information: section name: .twctcm
Source: MFPlat.DLL.4.dr Static PE information: section name: .nms
Source: MFPlat.DLL.4.dr Static PE information: section name: .ogj
Source: MFPlat.DLL.4.dr Static PE information: section name: .vrkgb
Source: MFPlat.DLL.4.dr Static PE information: section name: .gikfw
Source: MFPlat.DLL.4.dr Static PE information: section name: .ktl
Source: MFPlat.DLL.4.dr Static PE information: section name: .crcn
Source: MFPlat.DLL.4.dr Static PE information: section name: .wtfr
Source: MFPlat.DLL.4.dr Static PE information: section name: .hep
Source: MFPlat.DLL.4.dr Static PE information: section name: .ywg
Source: MFPlat.DLL.4.dr Static PE information: section name: .sqsp
Source: MFPlat.DLL.4.dr Static PE information: section name: .gzb
Source: MFPlat.DLL.4.dr Static PE information: section name: .fatlss
Source: MFPlat.DLL.4.dr Static PE information: section name: .plqa
Source: MFPlat.DLL.4.dr Static PE information: section name: .vzt
Source: MFPlat.DLL.4.dr Static PE information: section name: .dsbyd
Source: MFPlat.DLL.4.dr Static PE information: section name: .cdelc
Source: MFPlat.DLL.4.dr Static PE information: section name: .qkhkj
Source: MFPlat.DLL.4.dr Static PE information: section name: .mnzegr
Source: MFPlat.DLL.4.dr Static PE information: section name: .krw
Source: MFPlat.DLL.4.dr Static PE information: section name: .jvsmn
Source: MFPlat.DLL.4.dr Static PE information: section name: .bygpq
Source: MFPlat.DLL.4.dr Static PE information: section name: .kzdbu
Source: MFPlat.DLL.4.dr Static PE information: section name: .mwxorn
Source: MFPlat.DLL.4.dr Static PE information: section name: .raf
Source: MFPlat.DLL.4.dr Static PE information: section name: .zcyw
Source: MFPlat.DLL.4.dr Static PE information: section name: .zeczh
Source: MFPlat.DLL.4.dr Static PE information: section name: .pvv
Source: MFPlat.DLL.4.dr Static PE information: section name: .lug
Source: MFPlat.DLL.4.dr Static PE information: section name: .ski
Source: MFPlat.DLL.4.dr Static PE information: section name: .japjd
Source: MFPlat.DLL.4.dr Static PE information: section name: .mwtzml
Source: MFPlat.DLL.4.dr Static PE information: section name: .vgssf
Source: MFPlat.DLL.4.dr Static PE information: section name: .gsroye
Source: MFPlat.DLL.4.dr Static PE information: section name: .vcmr
Source: MFPlat.DLL.4.dr Static PE information: section name: .ufki
Source: MFPlat.DLL.4.dr Static PE information: section name: .btl
Source: MFPlat.DLL.4.dr Static PE information: section name: .pmeh
Source: MFPlat.DLL.4.dr Static PE information: section name: .mivbr
Source: Secur32.dll.4.dr Static PE information: section name: .vxl
Source: Secur32.dll.4.dr Static PE information: section name: .qwubgr
Source: Secur32.dll.4.dr Static PE information: section name: .eer
Source: Secur32.dll.4.dr Static PE information: section name: .xwwauf
Source: Secur32.dll.4.dr Static PE information: section name: .pkc
Source: Secur32.dll.4.dr Static PE information: section name: .npkda
Source: Secur32.dll.4.dr Static PE information: section name: .vhs
Source: Secur32.dll.4.dr Static PE information: section name: .iaywj
Source: Secur32.dll.4.dr Static PE information: section name: .nasi
Source: Secur32.dll.4.dr Static PE information: section name: .zhvprh
Source: Secur32.dll.4.dr Static PE information: section name: .yatdsp
Source: Secur32.dll.4.dr Static PE information: section name: .njso
Source: Secur32.dll.4.dr Static PE information: section name: .lgliat
Source: Secur32.dll.4.dr Static PE information: section name: .ntqjh
Source: Secur32.dll.4.dr Static PE information: section name: .sucsek
Source: Secur32.dll.4.dr Static PE information: section name: .qsxjui
Source: Secur32.dll.4.dr Static PE information: section name: .twctcm
Source: Secur32.dll.4.dr Static PE information: section name: .nms
Source: Secur32.dll.4.dr Static PE information: section name: .ogj
Source: Secur32.dll.4.dr Static PE information: section name: .vrkgb
Source: Secur32.dll.4.dr Static PE information: section name: .gikfw
Source: Secur32.dll.4.dr Static PE information: section name: .ktl
Source: Secur32.dll.4.dr Static PE information: section name: .crcn
Source: Secur32.dll.4.dr Static PE information: section name: .wtfr
Source: Secur32.dll.4.dr Static PE information: section name: .hep
Source: Secur32.dll.4.dr Static PE information: section name: .ywg
Source: Secur32.dll.4.dr Static PE information: section name: .sqsp
Source: Secur32.dll.4.dr Static PE information: section name: .gzb
Source: Secur32.dll.4.dr Static PE information: section name: .fatlss
Source: Secur32.dll.4.dr Static PE information: section name: .plqa
Source: Secur32.dll.4.dr Static PE information: section name: .vzt
Source: Secur32.dll.4.dr Static PE information: section name: .dsbyd
Source: Secur32.dll.4.dr Static PE information: section name: .cdelc
Source: Secur32.dll.4.dr Static PE information: section name: .qkhkj
Source: Secur32.dll.4.dr Static PE information: section name: .mnzegr
Source: Secur32.dll.4.dr Static PE information: section name: .krw
Source: Secur32.dll.4.dr Static PE information: section name: .jvsmn
Source: Secur32.dll.4.dr Static PE information: section name: .bygpq
Source: Secur32.dll.4.dr Static PE information: section name: .kzdbu
Source: Secur32.dll.4.dr Static PE information: section name: .mwxorn
Source: Secur32.dll.4.dr Static PE information: section name: .raf
Source: Secur32.dll.4.dr Static PE information: section name: .zcyw
Source: Secur32.dll.4.dr Static PE information: section name: .zeczh
Source: Secur32.dll.4.dr Static PE information: section name: .pvv
Source: Secur32.dll.4.dr Static PE information: section name: .lug
Source: Secur32.dll.4.dr Static PE information: section name: .ski
Source: Secur32.dll.4.dr Static PE information: section name: .japjd
Source: Secur32.dll.4.dr Static PE information: section name: .mwtzml
Source: Secur32.dll.4.dr Static PE information: section name: .vgssf
Source: Secur32.dll.4.dr Static PE information: section name: .gsroye
Source: Secur32.dll.4.dr Static PE information: section name: .vcmr
Source: Secur32.dll.4.dr Static PE information: section name: .ufki
Source: Secur32.dll.4.dr Static PE information: section name: .btl
Source: Secur32.dll.4.dr Static PE information: section name: .pmeh
Source: Secur32.dll.4.dr Static PE information: section name: .uuuuw
Source: UxTheme.dll.4.dr Static PE information: section name: .vxl
Source: UxTheme.dll.4.dr Static PE information: section name: .qwubgr
Source: UxTheme.dll.4.dr Static PE information: section name: .eer
Source: UxTheme.dll.4.dr Static PE information: section name: .xwwauf
Source: UxTheme.dll.4.dr Static PE information: section name: .pkc
Source: UxTheme.dll.4.dr Static PE information: section name: .npkda
Source: UxTheme.dll.4.dr Static PE information: section name: .vhs
Source: UxTheme.dll.4.dr Static PE information: section name: .iaywj
Source: UxTheme.dll.4.dr Static PE information: section name: .nasi
Source: UxTheme.dll.4.dr Static PE information: section name: .zhvprh
Source: UxTheme.dll.4.dr Static PE information: section name: .yatdsp
Source: UxTheme.dll.4.dr Static PE information: section name: .njso
Source: UxTheme.dll.4.dr Static PE information: section name: .lgliat
Source: UxTheme.dll.4.dr Static PE information: section name: .ntqjh
Source: UxTheme.dll.4.dr Static PE information: section name: .sucsek
Source: UxTheme.dll.4.dr Static PE information: section name: .qsxjui
Source: UxTheme.dll.4.dr Static PE information: section name: .twctcm
Source: UxTheme.dll.4.dr Static PE information: section name: .nms
Source: UxTheme.dll.4.dr Static PE information: section name: .ogj
Source: UxTheme.dll.4.dr Static PE information: section name: .vrkgb
Source: UxTheme.dll.4.dr Static PE information: section name: .gikfw
Source: UxTheme.dll.4.dr Static PE information: section name: .ktl
Source: UxTheme.dll.4.dr Static PE information: section name: .crcn
Source: UxTheme.dll.4.dr Static PE information: section name: .wtfr
Source: UxTheme.dll.4.dr Static PE information: section name: .hep
Source: UxTheme.dll.4.dr Static PE information: section name: .ywg
Source: UxTheme.dll.4.dr Static PE information: section name: .sqsp
Source: UxTheme.dll.4.dr Static PE information: section name: .gzb
Source: UxTheme.dll.4.dr Static PE information: section name: .fatlss
Source: UxTheme.dll.4.dr Static PE information: section name: .plqa
Source: UxTheme.dll.4.dr Static PE information: section name: .vzt
Source: UxTheme.dll.4.dr Static PE information: section name: .dsbyd
Source: UxTheme.dll.4.dr Static PE information: section name: .cdelc
Source: UxTheme.dll.4.dr Static PE information: section name: .qkhkj
Source: UxTheme.dll.4.dr Static PE information: section name: .mnzegr
Source: UxTheme.dll.4.dr Static PE information: section name: .krw
Source: UxTheme.dll.4.dr Static PE information: section name: .jvsmn
Source: UxTheme.dll.4.dr Static PE information: section name: .bygpq
Source: UxTheme.dll.4.dr Static PE information: section name: .kzdbu
Source: UxTheme.dll.4.dr Static PE information: section name: .mwxorn
Source: UxTheme.dll.4.dr Static PE information: section name: .raf
Source: UxTheme.dll.4.dr Static PE information: section name: .zcyw
Source: UxTheme.dll.4.dr Static PE information: section name: .zeczh
Source: UxTheme.dll.4.dr Static PE information: section name: .pvv
Source: UxTheme.dll.4.dr Static PE information: section name: .lug
Source: UxTheme.dll.4.dr Static PE information: section name: .ski
Source: UxTheme.dll.4.dr Static PE information: section name: .japjd
Source: UxTheme.dll.4.dr Static PE information: section name: .mwtzml
Source: UxTheme.dll.4.dr Static PE information: section name: .vgssf
Source: UxTheme.dll.4.dr Static PE information: section name: .gsroye
Source: UxTheme.dll.4.dr Static PE information: section name: .vcmr
Source: UxTheme.dll.4.dr Static PE information: section name: .ufki
Source: UxTheme.dll.4.dr Static PE information: section name: .btl
Source: UxTheme.dll.4.dr Static PE information: section name: .pmeh
Source: UxTheme.dll.4.dr Static PE information: section name: .leg
Source: XmlLite.dll.4.dr Static PE information: section name: .vxl
Source: XmlLite.dll.4.dr Static PE information: section name: .qwubgr
Source: XmlLite.dll.4.dr Static PE information: section name: .eer
Source: XmlLite.dll.4.dr Static PE information: section name: .xwwauf
Source: XmlLite.dll.4.dr Static PE information: section name: .pkc
Source: XmlLite.dll.4.dr Static PE information: section name: .npkda
Source: XmlLite.dll.4.dr Static PE information: section name: .vhs
Source: XmlLite.dll.4.dr Static PE information: section name: .iaywj
Source: XmlLite.dll.4.dr Static PE information: section name: .nasi
Source: XmlLite.dll.4.dr Static PE information: section name: .zhvprh
Source: XmlLite.dll.4.dr Static PE information: section name: .yatdsp
Source: XmlLite.dll.4.dr Static PE information: section name: .njso
Source: XmlLite.dll.4.dr Static PE information: section name: .lgliat
Source: XmlLite.dll.4.dr Static PE information: section name: .ntqjh
Source: XmlLite.dll.4.dr Static PE information: section name: .sucsek
Source: XmlLite.dll.4.dr Static PE information: section name: .qsxjui
Source: XmlLite.dll.4.dr Static PE information: section name: .twctcm
Source: XmlLite.dll.4.dr Static PE information: section name: .nms
Source: XmlLite.dll.4.dr Static PE information: section name: .ogj
Source: XmlLite.dll.4.dr Static PE information: section name: .vrkgb
Source: XmlLite.dll.4.dr Static PE information: section name: .gikfw
Source: XmlLite.dll.4.dr Static PE information: section name: .ktl
Source: XmlLite.dll.4.dr Static PE information: section name: .crcn
Source: XmlLite.dll.4.dr Static PE information: section name: .wtfr
Source: XmlLite.dll.4.dr Static PE information: section name: .hep
Source: XmlLite.dll.4.dr Static PE information: section name: .ywg
Source: XmlLite.dll.4.dr Static PE information: section name: .sqsp
Source: XmlLite.dll.4.dr Static PE information: section name: .gzb
Source: XmlLite.dll.4.dr Static PE information: section name: .fatlss
Source: XmlLite.dll.4.dr Static PE information: section name: .plqa
Source: XmlLite.dll.4.dr Static PE information: section name: .vzt
Source: XmlLite.dll.4.dr Static PE information: section name: .dsbyd
Source: XmlLite.dll.4.dr Static PE information: section name: .cdelc
Source: XmlLite.dll.4.dr Static PE information: section name: .qkhkj
Source: XmlLite.dll.4.dr Static PE information: section name: .mnzegr
Source: XmlLite.dll.4.dr Static PE information: section name: .krw
Source: XmlLite.dll.4.dr Static PE information: section name: .jvsmn
Source: XmlLite.dll.4.dr Static PE information: section name: .bygpq
Source: XmlLite.dll.4.dr Static PE information: section name: .kzdbu
Source: XmlLite.dll.4.dr Static PE information: section name: .mwxorn
Source: XmlLite.dll.4.dr Static PE information: section name: .raf
Source: XmlLite.dll.4.dr Static PE information: section name: .zcyw
Source: XmlLite.dll.4.dr Static PE information: section name: .zeczh
Source: XmlLite.dll.4.dr Static PE information: section name: .pvv
Source: XmlLite.dll.4.dr Static PE information: section name: .lug
Source: XmlLite.dll.4.dr Static PE information: section name: .ski
Source: XmlLite.dll.4.dr Static PE information: section name: .japjd
Source: XmlLite.dll.4.dr Static PE information: section name: .mwtzml
Source: XmlLite.dll.4.dr Static PE information: section name: .vgssf
Source: XmlLite.dll.4.dr Static PE information: section name: .gsroye
Source: XmlLite.dll.4.dr Static PE information: section name: .vcmr
Source: XmlLite.dll.4.dr Static PE information: section name: .ufki
Source: XmlLite.dll.4.dr Static PE information: section name: .btl
Source: XmlLite.dll.4.dr Static PE information: section name: .pmeh
Source: XmlLite.dll.4.dr Static PE information: section name: .sfgb
Source: DUI70.dll.4.dr Static PE information: section name: .vxl
Source: DUI70.dll.4.dr Static PE information: section name: .qwubgr
Source: DUI70.dll.4.dr Static PE information: section name: .eer
Source: DUI70.dll.4.dr Static PE information: section name: .xwwauf
Source: DUI70.dll.4.dr Static PE information: section name: .pkc
Source: DUI70.dll.4.dr Static PE information: section name: .npkda
Source: DUI70.dll.4.dr Static PE information: section name: .vhs
Source: DUI70.dll.4.dr Static PE information: section name: .iaywj
Source: DUI70.dll.4.dr Static PE information: section name: .nasi
Source: DUI70.dll.4.dr Static PE information: section name: .zhvprh
Source: DUI70.dll.4.dr Static PE information: section name: .yatdsp
Source: DUI70.dll.4.dr Static PE information: section name: .njso
Source: DUI70.dll.4.dr Static PE information: section name: .lgliat
Source: DUI70.dll.4.dr Static PE information: section name: .ntqjh
Source: DUI70.dll.4.dr Static PE information: section name: .sucsek
Source: DUI70.dll.4.dr Static PE information: section name: .qsxjui
Source: DUI70.dll.4.dr Static PE information: section name: .twctcm
Source: DUI70.dll.4.dr Static PE information: section name: .nms
Source: DUI70.dll.4.dr Static PE information: section name: .ogj
Source: DUI70.dll.4.dr Static PE information: section name: .vrkgb
Source: DUI70.dll.4.dr Static PE information: section name: .gikfw
Source: DUI70.dll.4.dr Static PE information: section name: .ktl
Source: DUI70.dll.4.dr Static PE information: section name: .crcn
Source: DUI70.dll.4.dr Static PE information: section name: .wtfr
Source: DUI70.dll.4.dr Static PE information: section name: .hep
Source: DUI70.dll.4.dr Static PE information: section name: .ywg
Source: DUI70.dll.4.dr Static PE information: section name: .sqsp
Source: DUI70.dll.4.dr Static PE information: section name: .gzb
Source: DUI70.dll.4.dr Static PE information: section name: .fatlss
Source: DUI70.dll.4.dr Static PE information: section name: .plqa
Source: DUI70.dll.4.dr Static PE information: section name: .vzt
Source: DUI70.dll.4.dr Static PE information: section name: .dsbyd
Source: DUI70.dll.4.dr Static PE information: section name: .cdelc
Source: DUI70.dll.4.dr Static PE information: section name: .qkhkj
Source: DUI70.dll.4.dr Static PE information: section name: .mnzegr
Source: DUI70.dll.4.dr Static PE information: section name: .krw
Source: DUI70.dll.4.dr Static PE information: section name: .jvsmn
Source: DUI70.dll.4.dr Static PE information: section name: .bygpq
Source: DUI70.dll.4.dr Static PE information: section name: .kzdbu
Source: DUI70.dll.4.dr Static PE information: section name: .mwxorn
Source: DUI70.dll.4.dr Static PE information: section name: .raf
Source: DUI70.dll.4.dr Static PE information: section name: .zcyw
Source: DUI70.dll.4.dr Static PE information: section name: .zeczh
Source: DUI70.dll.4.dr Static PE information: section name: .pvv
Source: DUI70.dll.4.dr Static PE information: section name: .lug
Source: DUI70.dll.4.dr Static PE information: section name: .ski
Source: DUI70.dll.4.dr Static PE information: section name: .japjd
Source: DUI70.dll.4.dr Static PE information: section name: .mwtzml
Source: DUI70.dll.4.dr Static PE information: section name: .vgssf
Source: DUI70.dll.4.dr Static PE information: section name: .gsroye
Source: DUI70.dll.4.dr Static PE information: section name: .vcmr
Source: DUI70.dll.4.dr Static PE information: section name: .ufki
Source: DUI70.dll.4.dr Static PE information: section name: .btl
Source: DUI70.dll.4.dr Static PE information: section name: .pmeh
Source: DUI70.dll.4.dr Static PE information: section name: .mquhr
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .vxl
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .qwubgr
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .eer
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .xwwauf
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .pkc
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .npkda
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .vhs
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .iaywj
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .nasi
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .zhvprh
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .yatdsp
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .njso
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .lgliat
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .ntqjh
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .sucsek
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .qsxjui
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .twctcm
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .nms
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .ogj
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .vrkgb
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .gikfw
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .ktl
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .crcn
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .wtfr
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .hep
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .ywg
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .sqsp
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .gzb
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .fatlss
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .plqa
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .vzt
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .dsbyd
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .cdelc
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .qkhkj
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .mnzegr
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .krw
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .jvsmn
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .bygpq
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .kzdbu
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .mwxorn
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .raf
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .zcyw
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .zeczh
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .pvv
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .lug
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .ski
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .japjd
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .mwtzml
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .vgssf
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .gsroye
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .vcmr
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .ufki
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .btl
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .pmeh
Source: ACTIVEDS.dll.4.dr Static PE information: section name: .nfr
Source: SppExtComObj.Exe.4.dr Static PE information: section name: ?g_Encry
Source: XmlLite.dll0.4.dr Static PE information: section name: .vxl
Source: XmlLite.dll0.4.dr Static PE information: section name: .qwubgr
Source: XmlLite.dll0.4.dr Static PE information: section name: .eer
Source: XmlLite.dll0.4.dr Static PE information: section name: .xwwauf
Source: XmlLite.dll0.4.dr Static PE information: section name: .pkc
Source: XmlLite.dll0.4.dr Static PE information: section name: .npkda
Source: XmlLite.dll0.4.dr Static PE information: section name: .vhs
Source: XmlLite.dll0.4.dr Static PE information: section name: .iaywj
Source: XmlLite.dll0.4.dr Static PE information: section name: .nasi
Source: XmlLite.dll0.4.dr Static PE information: section name: .zhvprh
Source: XmlLite.dll0.4.dr Static PE information: section name: .yatdsp
Source: XmlLite.dll0.4.dr Static PE information: section name: .njso
Source: XmlLite.dll0.4.dr Static PE information: section name: .lgliat
Source: XmlLite.dll0.4.dr Static PE information: section name: .ntqjh
Source: XmlLite.dll0.4.dr Static PE information: section name: .sucsek
Source: XmlLite.dll0.4.dr Static PE information: section name: .qsxjui
Source: XmlLite.dll0.4.dr Static PE information: section name: .twctcm
Source: XmlLite.dll0.4.dr Static PE information: section name: .nms
Source: XmlLite.dll0.4.dr Static PE information: section name: .ogj
Source: XmlLite.dll0.4.dr Static PE information: section name: .vrkgb
Source: XmlLite.dll0.4.dr Static PE information: section name: .gikfw
Source: XmlLite.dll0.4.dr Static PE information: section name: .ktl
Source: XmlLite.dll0.4.dr Static PE information: section name: .crcn
Source: XmlLite.dll0.4.dr Static PE information: section name: .wtfr
Source: XmlLite.dll0.4.dr Static PE information: section name: .hep
Source: XmlLite.dll0.4.dr Static PE information: section name: .ywg
Source: XmlLite.dll0.4.dr Static PE information: section name: .sqsp
Source: XmlLite.dll0.4.dr Static PE information: section name: .gzb
Source: XmlLite.dll0.4.dr Static PE information: section name: .fatlss
Source: XmlLite.dll0.4.dr Static PE information: section name: .plqa
Source: XmlLite.dll0.4.dr Static PE information: section name: .vzt
Source: XmlLite.dll0.4.dr Static PE information: section name: .dsbyd
Source: XmlLite.dll0.4.dr Static PE information: section name: .cdelc
Source: XmlLite.dll0.4.dr Static PE information: section name: .qkhkj
Source: XmlLite.dll0.4.dr Static PE information: section name: .mnzegr
Source: XmlLite.dll0.4.dr Static PE information: section name: .krw
Source: XmlLite.dll0.4.dr Static PE information: section name: .jvsmn
Source: XmlLite.dll0.4.dr Static PE information: section name: .bygpq
Source: XmlLite.dll0.4.dr Static PE information: section name: .kzdbu
Source: XmlLite.dll0.4.dr Static PE information: section name: .mwxorn
Source: XmlLite.dll0.4.dr Static PE information: section name: .raf
Source: XmlLite.dll0.4.dr Static PE information: section name: .zcyw
Source: XmlLite.dll0.4.dr Static PE information: section name: .zeczh
Source: XmlLite.dll0.4.dr Static PE information: section name: .pvv
Source: XmlLite.dll0.4.dr Static PE information: section name: .lug
Source: XmlLite.dll0.4.dr Static PE information: section name: .ski
Source: XmlLite.dll0.4.dr Static PE information: section name: .japjd
Source: XmlLite.dll0.4.dr Static PE information: section name: .mwtzml
Source: XmlLite.dll0.4.dr Static PE information: section name: .vgssf
Source: XmlLite.dll0.4.dr Static PE information: section name: .gsroye
Source: XmlLite.dll0.4.dr Static PE information: section name: .vcmr
Source: XmlLite.dll0.4.dr Static PE information: section name: .ufki
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B871BEA0 LoadLibraryW,GetProcAddress,GetProcAddress, 33_2_00007FF7B871BEA0
Binary contains a suspicious time stamp
Source: Dxpserver.exe.4.dr Static PE information: 0xABA47AA2 [Sat Apr 2 16:00:34 2061 UTC]
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.59477523886
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Source: initial sample Static PE information: section name: .text entropy: 7.78392111205
Drops PE files
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\n0R5g\Secur32.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\O0z6Mm4\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\aJcBg\DeviceEnroller.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4O9p1cGN\dwmapi.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\aJcBg\XmlLite.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\vFRJtv0CU\SppExtComObj.Exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Nz4mnM\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\R7Mg9\UxTheme.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\bj1HT\MFPlat.DLL Jump to dropped file
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130F3080 WinSqmSetString,IsIconic,ShowWindow,GetSystemMenu,CheckMenuItem, 26_2_00007FF6130F3080
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B87139A0 SetFocus,LoadCursorW,SetCursor,DefWindowProcW,GetClientRect,IsIconic,memset,GetTitleBarInfo,GetCursorPos,SendMessageW, 33_2_00007FF7B87139A0
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B870F5A4 DefWindowProcW,IsIconic,GetClientRect,GetLastError,VariantClear,DefWindowProcW, 33_2_00007FF7B870F5A4
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B878C560 GetWindowRect,IsWindow,IsIconic,GetSystemMetrics,GetSystemMetrics,GetWindowRect,PtInRect,PtInRect,SystemParametersInfoW,CopyRect,SetWindowPos, 33_2_00007FF7B878C560
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B870CE48 IsIconic,GetWindowPlacement,GetLastError, 33_2_00007FF7B870CE48
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8709A6C IsIconic,GetWindowPlacement,GetWindowRect, 33_2_00007FF7B8709A6C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B870CF28 IsIconic,GetWindowPlacement,GetLastError,IsZoomed,SetWindowPlacement,GetLastError,SetWindowPos,SetWindowPos,GetClientRect,MoveWindow, 33_2_00007FF7B870CF28
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8711B44 lstrcmpW,LockWindowUpdate,IsIconic,GetWindowPlacement,GetWindowLongW,SetWindowLongW,SetWindowLongW,VariantInit,VariantClear,GetRgnBox,OffsetRgn,VariantClear,ShowWindow,SetWindowPos,SetWindowPos,SetWindowRgn,LockWindowUpdate, 33_2_00007FF7B8711B44
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8712F5C IsWindowVisible,IsIconic, 33_2_00007FF7B8712F5C
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B87104F8 IsZoomed,IsIconic,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem,EnableMenuItem, 33_2_00007FF7B87104F8
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8712884 GetWindowRect,GetWindowLongW,GetWindowLongW,memset,CopyRect,IntersectRect,MoveWindow,IsIconic,memset,GetWindowPlacement, 33_2_00007FF7B8712884
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 5344 Thread sleep count: 63 > 30 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\EQ0DjT2sP\CameraSettingsUIHost.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\aJcBg\DeviceEnroller.exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\EQ0DjT2sP\DUI70.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\vFRJtv0CU\SppExtComObj.Exe Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\vFRJtv0CU\ACTIVEDS.dll Jump to dropped file
Source: C:\Windows\explorer.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\O0z6Mm4\ddodiag.exe Jump to dropped file
Found evasive API chain checking for process token information
Source: C:\Windows\System32\loaddll64.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe API coverage: 0.3 %
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe API coverage: 0.4 %
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe API coverage: 0.3 %
Source: C:\Windows\System32\loaddll64.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711DDC0 GetSystemInfo, 0_2_00007FFC6711DDC0
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC6711ED10 FindFirstFileExW, 0_2_00007FFC6711ED10
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FFC74C7ED10 FindFirstFileExW, 20_2_00007FFC74C7ED10
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6130E1914 SHCreateDirectory,memset,FindFirstFileW,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,CompareStringOrdinal,SHCreateDirectory,CompareStringOrdinal,CreateFileW,CloseHandle,GetLastError,SetFileAttributesW,CopyFileExW,GetLastError,CoCreateGuid,StringFromGUID2,MoveFileW,GetLastError,CopyFileExW,GetLastError,FindNextFileW,FindClose,GetLastError, 26_2_00007FF6130E1914
Source: explorer.exe, 00000004.00000000.304934300.000000000832A000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: 00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA
Source: explorer.exe, 00000004.00000000.303147807.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}m&ven_n
Source: explorer.exe, 00000004.00000000.280980769.0000000000680000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: _VMware_SATA_CD00#5&280b647&
Source: explorer.exe, 00000004.00000000.340794911.000000000069D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}t]
Source: explorer.exe, 00000004.00000000.267951079.00000000062C4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.263815655.0000000004287000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}0
Source: explorer.exe, 00000004.00000000.303880362.000000000820E000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000025700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#000000001F400000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}}^
Source: explorer.exe, 00000004.00000000.303147807.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000004.00000000.303959479.0000000008223000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00l
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FF740781828 GetCurrentThreadId,memset,IsDebuggerPresent,OutputDebugStringW, 20_2_00007FF740781828
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B871BEA0 LoadLibraryW,GetProcAddress,GetProcAddress, 33_2_00007FF7B871BEA0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FF7407859A4 TlsGetValue,GetProcessHeap,HeapFree,TlsSetValue,AcquireSRWLockExclusive,TlsFree,ReleaseSRWLockExclusive, 20_2_00007FF7407859A4
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC671097D0 LdrLoadDll,FindClose, 0_2_00007FFC671097D0
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FF740788410 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 20_2_00007FF740788410
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FF7407886F0 SetUnhandledExceptionFilter, 20_2_00007FF7407886F0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF61310FCB0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 26_2_00007FF61310FCB0
Source: C:\Users\user\AppData\Local\4O9p1cGN\Dxpserver.exe Code function: 26_2_00007FF6131100E0 SetUnhandledExceptionFilter, 26_2_00007FF6131100E0
Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe Code function: 29_2_00007FF670A429F0 SetUnhandledExceptionFilter, 29_2_00007FF670A429F0
Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe Code function: 29_2_00007FF670A42D14 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 29_2_00007FF670A42D14
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B8822264 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 33_2_00007FF7B8822264
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CEF2E0 SetUnhandledExceptionFilter, 35_2_00007FF742CEF2E0
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CEEE40 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 35_2_00007FF742CEEE40

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: dwmapi.dll.4.dr Jump to dropped file
Changes memory attributes in foreign processes to executable or writable
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC866FEFE0 protect: page execute and read and write Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC866FE000 protect: page execute read Jump to behavior
Source: C:\Windows\System32\rundll32.exe Memory protected: C:\Windows\explorer.exe base: 7FFC85C32A20 protect: page execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Windows\System32\rundll32.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Contains functionality to automate explorer (e.g. start an application)
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CDA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent, 35_2_00007FF742CDA5C8
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: 35_2_00007FF742CDA5C8 GetDC,GetDeviceCaps,ReleaseDC,LoadIconW,SendMessageW,GetWindowBand,FindWindowW,GetWindowBand,FindWindowW,SendMessageTimeoutW,GetWindowLongW,SetWindowLongW,SetForegroundWindow,IsThemeActive,DwmIsCompositionEnabled,GetWindowRect,GetClientRect,EnterCriticalSection,GetWindowRect,LeaveCriticalSection,SetWindowPos,LeaveCriticalSection,memset,Shell_NotifyIconGetRect,GetWindowRect,DwmIsCompositionEnabled,Shell_NotifyIconGetRect,InflateRect,CalculatePopupWindowPosition,SetWindowPos,InvalidateRect,GetClientRect,EnterCriticalSection,SetWindowPos,GetDlgItem,SetFocus,ShowWindow,LeaveCriticalSection,SetTimer,NotifyWinEvent, 35_2_00007FF742CDA5C8
Contains functionality to prevent local Windows debugging
Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe Code function: 29_2_00007FF670A45730 EnterCriticalSection,IsDebuggerPresent,DebugBreak,GetLastError,SetLastError,LeaveCriticalSection, 29_2_00007FF670A45730
Source: C:\Users\user\AppData\Local\bj1HT\mfpmp.exe Code function: 29_2_00007FF670A454A0 EnterCriticalSection,IsDebuggerPresent,DebugBreak,LeaveCriticalSection, 29_2_00007FF670A454A0
Uses Atom Bombing / ProGate to inject into other processes
Source: C:\Windows\System32\rundll32.exe Atom created: 405553565741544156488D6C24D14881EC98 0x00000000 inc eax 0x00000001 push ebp 0x00000002 push ebx 0x00000003 push esi 0x00000004 push edi 0x00000005 inc ecx 0x00000006 push esp 0x00000007 inc ecx 0x00000008 push esi 0x00000009 dec eax 0x0000000a lea ebp, dword ptr [esp-2Fh] 0x0000000e dec eax 0x0000000f sub esp, 00000098h Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\rundll32.exe rundll32.exe "C:\Users\user\Desktop\eWlldJYfLc.dll",#1 Jump to behavior
Source: explorer.exe, 00000004.00000000.280992287.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.311718742.0000000000688000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.262606736.0000000000688000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: ProgmanEXE^
Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.271301902.00000000080ED000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.263000213.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: SndVol.exe, 00000023.00000000.548108875.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe, 00000023.00000002.574100528.00007FF742CF2000.00000002.00000001.01000000.00000012.sdmp, SndVol.exe.4.dr Binary or memory string: Software\Microsoft\Multimedia\Audio\SndVolSndVolPreferencesMaskSndVolSelectedDevicesShell_TrayWnd
Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.263000213.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.311774801.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.281130871.0000000000708000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.341049556.0000000000708000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd4
Source: explorer.exe, 00000004.00000000.341540544.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.281271896.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.263000213.0000000000BE0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: WProgram Manager
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Nz4mnM\SndVol.exe Code function: GetUserPreferredUILanguages,malloc,GetUserPreferredUILanguages,GetLocaleInfoEx,free, 35_2_00007FF742CE9EF4
Queries the installation date of Windows
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate Jump to behavior
Source: C:\Windows\System32\loaddll64.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Source: C:\Users\user\AppData\Local\R7Mg9\CloudNotifications.exe Code function: 20_2_00007FF740783614 RegGetValueW,RegGetValueW,GetSystemTimeAsFileTime,TranslateMessage,DispatchMessageW,GetMessageW, 20_2_00007FF740783614
Source: C:\Users\user\AppData\Local\n0R5g\mstsc.exe Code function: 33_2_00007FF7B881F5EC memset,GetVersionExW,GetVersionExW, 33_2_00007FF7B881F5EC
Source: C:\Windows\System32\loaddll64.exe Code function: 0_2_00007FFC67109400 GetUserNameW, 0_2_00007FFC67109400
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 595308 Sample: eWlldJYfLc Startdate: 23/03/2022 Architecture: WINDOWS Score: 100 42 Antivirus detection for dropped file 2->42 44 Antivirus / Scanner detection for submitted sample 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 6 other signatures 2->48 8 loaddll64.exe 1 2->8         started        process3 process4 10 rundll32.exe 8->10         started        13 cmd.exe 1 8->13         started        15 rundll32.exe 8->15         started        17 rundll32.exe 8->17         started        signatures5 58 Changes memory attributes in foreign processes to executable or writable 10->58 60 Uses Atom Bombing / ProGate to inject into other processes 10->60 62 Queues an APC in another process (thread injection) 10->62 19 explorer.exe 3 58 10->19 injected 23 rundll32.exe 13->23         started        process6 file7 34 C:\Users\user\AppData\Local\...\ACTIVEDS.dll, PE32+ 19->34 dropped 36 C:\Users\user\AppData\Local\...\Secur32.dll, PE32+ 19->36 dropped 38 C:\Users\user\AppData\Local\bj1HT\mfpmp.exe, PE32+ 19->38 dropped 40 15 other files (6 malicious) 19->40 dropped 50 Benign windows process drops PE files 19->50 52 Accesses ntoskrnl, likely to find offsets for exploits 19->52 25 mfpmp.exe 19->25         started        28 SndVol.exe 19->28         started        30 Dxpserver.exe 19->30         started        32 11 other processes 19->32 signatures8 process9 signatures10 54 Contains functionality to prevent local Windows debugging 25->54 56 Contains functionality to automate explorer (e.g. start an application) 28->56
No contacted IP infos